The present disclosure is directed to a ransomware detection component or an anti-ransomware application that detects, stops, and removes ransomware from a computing system. In one embodiment, the anti-ransomware application may prevent new ransomware from infecting one or more components of the system or remove or disable existing ransomware that is already present on the system.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A system for mitigating the effects of ransomware attacks, comprising: a plurality of computing devices interconnected via a network; a plurality of storage devices, wherein each storage device is configured to store a plurality of data files in a plurality of file directories, wherein a select number of the plurality of storage devices include at least one shared file directory for storing a plurality of data files therein, wherein each shared file directory is configured to allow access to data files stored therein to a select number of the plurality of computing devices via the network; a ransomware detection component connected to a select number of the plurality of computing devices and storage devices via the network, wherein the ransomware detection component is configured to detect possible ransomware attacks and comprises, a honeypot deployment module configured to selectively deploy a plurality of honeypot data items into a select number of the plurality of storage devices, wherein a select number of the plurality of honeypot data items deployed are accessible to selected users of the system, wherein the honeypot data items comprise honeypot drives, honeypot files, and combinations thereof; a monitoring module configured to monitor a plurality of activities executed on data files stored in a select number of the plurality of storage devices, detect activities executed on data files that conform to at least one of a predefined set of activities, and generate a plurality of event data associated with each detected activity; a trigger rule module configured to determine, based on event data associated with each detected activity, whether a detected activity is indicative of a ransomware attack by a third party not authorized to execute such detected activity; an action script module configured to execute, based on a determination by the trigger rule module that a detected activity is indicative of a ransomware attack, at least one action script to mitigate access to shared data files should the detected activity be a ransomware attack; and a database module configured to store at least a portion of event data associated with detected activities.
2. The system of claim 1 , wherein honeypot deployment module deploys at least one honeypot data item into a majority of the shared file directories.
3. The system of claim 1 , wherein the plurality of activities monitored comprises activities associated with predefined file types, predefined file activities, predefined directory activities, predefined user activities, predefined processes, and combinations thereof.
4. The system of claim 1 , wherein the trigger rule module is configured to: determine whether an occurrence of a detected activity exceeds a predetermined threshold level associated with such activity; and based on whether the predetermined threshold is exceeded, determine whether the detected activity is indicative of a ransomware attack.
5. The system of claim 4 , wherein the database is configured to store threshold data associated with a plurality of predetermined threshold levels with respect to selected activities executed on data files; wherein the trigger rule module is configured to access threshold data associated with a selected detected activity to determine whether the occurrence thereof exceeds the predetermined threshold level.
6. The system of claim 1 , wherein at least one action script comprises at least one security action selected from the group consisting of preventing at least one process from accessing data files stored in at least one of the plurality of storage devices; suspending at least one process executing on data files stored in at least one of the plurality of storage devices; creating a backup copy of at least a portion of data files stored in at least one of the plurality of storage devices; terminating processes on at least one of the plurality of storage devices and plurality of computing devices; generating at least one alert in response to a determination that a detected activity is indicative of a ransomware attack; restricting access to the system of at least one user associated with a detected activity that is determined to be indicative of a ransomware attack; quarantining at least one of the plurality of storage devices and plurality of computing devices on which a detected activity is executed that is determined to be indicative of a ransomware attack; and combinations thereof.
7. The system of claim 1 , wherein the database is configured to store a plurality of action scripts associated with a plurality of detected activities executed on data files; wherein the action script module is configured to access at least one action script associated with a selected detected activity to mitigate access to shared data files should the detected activity be a ransomware attack.
8. The system of claim 1 , wherein the ransomware detection component comprises a plurality of monitoring modules, wherein each monitoring module is configured to: monitor a plurality of activities executed on data files stored in a select number of the plurality of storage devices; detect activities executed on honeypot data items that conform to at least one of a predefined set of activities; generate a plurality of event data associated with each detected activity; and transmit at least a portion of the generated event data to a select number of a remainder of the plurality of monitoring modules via the network for processing thereby.
9. The system of claim 1 , wherein the ransomware detection component further comprises an input/output interface configured to receive a plurality of configuration data associated with configuration parameters for at least one of the at least one monitoring module, the trigger rule module, the action script module, the database, and combinations thereof.
10. A system for mitigating the effects of ransomware attacks, comprising: a plurality of computing devices interconnected via a network; a plurality of storage devices, wherein each storage device is configured to store a plurality of data files in a plurality of file directories, wherein a select number of the plurality of storage devices include at least one shared file directory for storing a plurality of data files therein, wherein each shared file directory is configured to allow access to data files stored therein to a select number of the plurality of computing devices via the network; a plurality of ransomware detection components, wherein each ransomware detection component is connected to a select number of the plurality of computing devices and storage devices via the network, wherein each ransomware detection component is operable to detect possible ransomware attacks and comprises: a honeypot deployment module configured to selectively deploy a plurality of honeypot data items into a select number of the plurality of storage devices, wherein a select number of the plurality of honeypot data items deployed are accessible to selected users of the system, wherein the honeypot data items comprise honeypot drives, honeypot files, and combinations thereof; at least one monitoring module configured to monitor a plurality of activities executed on data files stored in the plurality of storage devices, detect activities executed on data files that conform to at least one of a predefined set of activities, and generate a plurality of event data associated with each detected activity; a trigger rule module configured to determine, based on event data associated with each detected activity, whether a detected activity is indicative of a ransomware attack by a third party not authorized to execute such detected activity, and generate a plurality of event analysis data therefrom; an action script module configured to execute, based on a determination by the trigger rule module that a detected activity is indicative of a ransomware attack, at least one action script to mitigate access to shared data files should the detected activity be a ransomware attack; a database module configured to store at least a portion of event data associated with detected activities; and an input/output device configured to exchange at least a portion of least one of event data associated with detected activities, event analysis data, at least one action script, status update messages, and combinations thereof with a select number of a remainder of the plurality of ransomware detection components via the network.
11. The system of claim 10 , further comprising an anti-ransomware failover component connected to each of the plurality of ransomware detection components via the network, wherein the anti-ransomware failover component comprises: a failover processor for controlling the anti-ransomware failover component; a heartbeat component operatively connected to the failover processor and controlled in part by the failover processor, wherein the heartbeat component is operable to receive a plurality of status update communications from each of the ransomware detection components connected via the network; and a shared database connected to each of the ransomware detection components, wherein the shared database is configured to store a plurality of event data associated with detected activities, event analysis data, at least one action script, and combinations thereof received from each of the ransomware detection components; wherein the failover processor is operable to: generate at least one control signal for each ransomware detection component to transmit a status update message to the heartbeat component at specific intervals; receive a plurality of status update messages from the heartbeat component and generate status data for each ransomware detection component therefrom; determine, based on at least a portion of the status data, whether a selected ransomware detection component is functioning within predetermined parameters; in response to a determination that the selected ransomware detection component is not functioning within predetermined parameters, generate at least one command to restrict ransomware detection functionality of the non-functioning ransomware detection component; and transmit at least one command to a select number of remainder of the plurality of ransomware detection components to undertake at least a portion of the ransomware detection functionality of the non-functioning ransomware detection component.
12. A method for mitigating the effects of ransomware attacks within a networked system, wherein the system comprises (a) a plurality of computing devices interconnected via a network, (b) a plurality of storage devices, wherein each storage device is configured to store a plurality of data files in a plurality of file directories, wherein a select number of the plurality of storage devices include at least one shared file directory for storing a plurality of data files therein, wherein each shared file directory is configured to allow access to data files stored therein to a select number of the plurality of computing devices via the network, and (c) a ransomware detection component connected to a select number of the plurality of computing devices and storage devices via the network for detecting possible ransomware attacks, wherein the ransomware detection component comprises (i) a honeypot deployment module, (ii) a monitoring module, (iii) a trigger rule module, (iv) an action script module, and (v) a database module, the method comprising: deploying, via the honeypot deployment module, a plurality of honeypot data items into a select number of the plurality of storage devices, wherein a select number of the plurality of honeypot data items deployed are accessible to selected users of the system, wherein the honeypot data items comprise honeypot drives, honeypot files, and combinations thereof; monitoring, via the monitoring module, a plurality of activities executed on data files stored in a select number of the plurality of storage devices, detecting, via the monitoring module, activities executed on data files that conform to at least one of a predefined set of activities, and generating a plurality of event data associated with each detected activity; determining, via the trigger rule module, based on event data associated with each detected activity, whether a detected activity is indicative of a ransomware attack by a third party not authorized to execute such detected activity, and generating a plurality of event analysis data therefrom; and executing, via the action script module, based on a determination by the trigger rule module that a detected activity is indicative of a ransomware attack, at least one action script to mitigate access to shared data files should the detected activity be a ransomware attack.
13. The method of claim 12 , further comprising storing at least a portion of at least one of the plurality of event data associated with detected activities, the plurality of event analysis data, and combinations thereof in the database module.
14. The method of claim 12 , at least one honeypot data item is deployed into a majority of the shared file directories.
15. The method of claim 12 , wherein the plurality of activities monitored comprises activities associated with predefined file types, predefined file activities, predefined directory activities, predefined user activities, predefined processes, and combinations thereof.
16. The method of claim 12 , further comprising: storing threshold data associated with a plurality of predetermined threshold levels with respect to selected activities executed on data files in the database module; determining, via the trigger rule module, whether an occurrence of a detected activity exceeds a predetermined threshold level associated with such activity; and based on whether the predetermined threshold is exceeded, determining, via the trigger rule module, whether the detected activity is indicative of a ransomware attack.
17. The method of claim 12 , wherein at least one action script comprises at least one security action selected from the group consisting of preventing at least one process from accessing data files stored in at least one of the plurality of storage devices; suspending at least one process executing on data files stored in at least one of the plurality of storage devices; creating a backup copy of at least a portion of data files stored in at least one of the plurality of storage devices; terminating processes on at least one of the plurality of storage devices and plurality of computing devices; generating at least one alert in response to a determination that a detected activity is indicative of a ransomware attack; restricting access to the system of at least one user associated with a detected activity that is determined to be indicative of a ransomware attack; quarantining at least one of the plurality of storage devices and plurality of computing devices on which a detected activity is executed that is determined to be indicative of a ransomware attack; and combinations thereof.
18. The method of claim 12 , further comprising: storing a plurality of action scripts associated with a plurality of detected activities executed on data files in the database module; and accessing, by the action script module, at least one action script associated with a selected detected activity and executing the at least one action script to mitigate access to shared data files should the detected activity be a ransomware attack.
19. The method of claim 12 , wherein the ransomware detection component further comprises a plurality of monitoring modules, the method further comprising: monitoring, by each of the monitoring modules, a plurality of activities executed on data files stored in a select number of the plurality of storage devices; detecting, by each of the monitoring modules, activities executed on honeypot data items that conform to at least one of a predefined set of activities; generating, by each of the monitoring modules, a plurality of event data associated with each detected activity; and transmitting, by each of the monitoring modules, at least a portion of the generated event data to a select number of a remainder of the plurality of monitoring modules via the network for processing thereby.
20. The method of claim 12 , wherein the ransomware detection component further comprises an input/output interface, the method further comprising receiving, via the input/output interface, a plurality of configuration data associated with configuration parameters for at least one of the monitoring module, the trigger rule module, the action script module, the database, and combinations thereof.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
April 4, 2018
March 31, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.